Hello, all. It think I already know the negative answer to this question but is there a way to synchronize different password fields in 389? As a relative novice at 389 and a real novice at Asterisk, I''ve been dropped into the deep end of building an integrated Asterisk, Kaimalio, RTPProxy, FreePBX system using our existing LDAP as a database backend. There is a great article on using 389 in RedHat magazine (http://magazine.redhat.com/2008/07/24/open-source-telephony-a-fedora-based-voip-server-with-asterisk/) but the schema introduces a new password attribute. We''d like to for users to only have to change passwords once, not once for their data and once for the SIP accounts. Additionally, for security reasons, users'' email addresses (and thus their SIP IDs) are different than their internal uids. Kamailio looks like it makes this easier in that we can specify a query using the email attribute and tell it which password field we want to retrieve. I''m not sure how it will handle the hashing. I''m more at a loss for how to do this in Asterisk. In any event, I will ask the Asterisk folks if we can use the existing password attribute rather than a specific SIPPassword attribute but, in case they say no, is there any way to sync the two password fields other than IPA? Thanks - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan@opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society
On Tue, 2009-06-02 at 08:51 -0400, John A. Sullivan III wrote:> Hello, all. It think I already know the negative answer to this > question but is there a way to synchronize different password fields in > 389? > > As a relative novice at 389 and a real novice at Asterisk, I''ve been > dropped into the deep end of building an integrated Asterisk, Kaimalio, > RTPProxy, FreePBX system using our existing LDAP as a database backend. > There is a great article on using 389 in RedHat magazine > (http://magazine.redhat.com/2008/07/24/open-source-telephony-a-fedora-based-voip-server-with-asterisk/) but the schema introduces a new password attribute. We''d like to for users to only have to change passwords once, not once for their data and once for the SIP accounts. > > Additionally, for security reasons, users'' email addresses (and thus > their SIP IDs) are different than their internal uids. > > Kamailio looks like it makes this easier in that we can specify a query > using the email attribute and tell it which password field we want to > retrieve. I''m not sure how it will handle the hashing. I''m more at a > loss for how to do this in Asterisk. > > In any event, I will ask the Asterisk folks if we can use the existing > password attribute rather than a specific SIPPassword attribute but, in > case they say no, is there any way to sync the two password fields other > than IPA? Thanks - JohnHmm . . . as I read more, this seems to be complicated by the fact that SIP wants a hash in the form of hash(username:realm:password). There''s an interesting article on this issue and a solution interposing RADIUS between LDAP and Asterisk at http://www-rocq.inria.fr/who/Philippe.Sultan/Asterisk/asterisk_sip_external_authentication.html for anyone else who is facing such an issue - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan@opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society
On Tue, 2 Jun 2009, John A. Sullivan III wrote:> Hello, all. It think I already know the negative answer to this > question but is there a way to synchronize different password fields in > 389?FreeIPA has a plugin to keep userPassword in sync with the Samba password hashes and the Kerberos password, but as far as I know, there''s no generalized solution to this problem. I''d love for there to be one -- a configurable plugin or something like that -- but C isn''t my forte. I think a lot of us are mucking with the same issue, just with slightly different parameters. Chris St. Pierre Unix Systems Administrator Nebraska Wesleyan University